Installing and Administering PPP
118 Chapter 5
Security Techniques
Writing a Stanza - TCP Examples
However, nothing is perfectly reliable. Being explicit can cause other
problems if you change the address of the server. The reliability of using
an IP address instead of a hostname, or vice versa, may only be decided
on a site-by-site basis. Still, we strongly favor using IP addresses over
using hostnames. One benefit is that specifying the explicit IP address
prevents people from changing the meaning of your rulesets by DNS
spoofing.
Conclusion
Build up the list of what you would let an unknown site do a little at a
time as you discover services you wish to allow. The important thing is
to remember to place ‘!all’ at the end of each filter. You and any future
manager can quickly see you are blocking all but specific packets and you
reduce the chance that someone will accidentally change the meaning of
the implicit ending stanza to ‘all’.
A Note - Blocking Loose Source and Strict
Source Routing Options
Using the IP Source Routing options, it is possible for people to send
packets to you that look like they are coming from a host on your
network. Prevent this sort of attack by blocking packets that have the
Loose Source Routing or Strict Source Routing IP options set. If you
want to be restrictive, add the line below to all your rulesets, including
your default ruleset in the default pass filter:
!ip-opt=srcrt